[2723] in cryptography@c2.net mail archive
Re: FYI: I believe Microsoft has knowingly violated the export
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Wed May 20 10:26:31 1998
In-Reply-To: <199805191312.JAA02491@shell2.shore.net>
Date: Wed, 20 May 1998 08:30:14 -0400
To: Rich Salz <rsalz@shore.net>, cryptography@c2.net
From: "Arnold G. Reinhold" <reinhold@world.std.com>
At 9:12 AM -0400 5/19/98, Rich Salz wrote:
...
>
>The problem is that the NSA ordinarily calls the technique used by
>Microsoft "crypto with a hole," and they routinely deny export approval
>for such products. Their reasoning is that it would be fairly
>straightforward to "add in" the cryptography.
...
> - Why is Microsoft allowed to do this when other companies
> are not?
There are a number of other "crypto with a hole" systems on the market now.
Java has an extensive crypto facility, with only the encryption algorithms
themselves export restricted. Replacement code written outside North
America is widely available. Netscape recently released the source of its
browser, sans crypto. (Why doesn't Netscape designate an official European
supplier who could add non-US crypto and sell a 128-bit browser world wide?)
One could argue that any computer with a programming language is "crypto
with a hole." You can easily write a usable strong encryption program in
two dozen lines of Basic. (See http://ciphersaber.gurus.com)
But perhaps the most interesting example of "crypto with a hole" is e-mail.
Apparently (this is based on trade show conversations a few years ago) the
makers of Eudora and other e-mail clients were encouraged to include a
crypto plug-in capability by the NSA itself. The NSA needed those hooks to
be able to deliver Fortezza protected e-mail to its customers in a
reasonable time frame.
Arnold Reinhold
